[liberationtech] PRISM: NSA/FBI Internet data mining project

Fri Jun 7 13:01:54 PDT 2013

FWIW, Google has issued a similar blanket (and kinda funny) denial.

http://googleblog.blogspot.com/2013/06/what.html

On Fri, Jun 7, 2013 at 2:20 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> Apologies for replying out of thread and the wide CC list.
>
> On Fri, Jun 07, 2013 at 06:41:32PM +0200, Eugen Leitl wrote:
>> ----- Forwarded message from Matthew Petach <mpetach at netflight.com> -----
>>
>> Date: Fri, 7 Jun 2013 09:32:53 -0700
>> From: Matthew Petach <mpetach at netflight.com>
>> Cc: NANOG <nanog at nanog.org>
>> Subject: Re: PRISM: NSA/FBI Internet data mining project
>>
>> Speaking just for myself, and if you quote me on this
>> as speaking on anyone else's behalf, you're a complete
>> fool, if the government was able to build infrastructure
>> that could listen to all the traffic from a major provider
>> for a fraction of what it costs them to handle that traffic
>> in the first place, I'd be truly amazed--and I'd probably
>> wonder why the company didn't outsource their infrastruture
>> to the government, if they can build and run it so much
>> more cheaply than the commercial providers.  ;P
>> 7 companies were listed; if we assume the
>> burden was split roughly evenly between them, that's
>> 20M/7, about $2.85M per company per year to tap in,
>> or about $238,000/month per company listed, to
>> supposedly snoop on hundreds of gigs per second
>> of data.  Two ways to handle it: tap in, and funnel
>> copies of all traffic back to distant monitoring posts,
>> or have local servers digesting and filtering, just
>> extracting the few nuggets they want, and sending
>> just those back.
>
> That's not what PRISM is claimed to do, in the WaPo/Gu slide deck.  The
> deck claims that PRISM provides a way for an analyst at NSA to request
> access to a specific target (gmail account, Skype account, Y! messenger,
> etc) and get a dump of data in that account, plus realtime access to the
> activity on the account.  The volume is quoted to be on the order of
> 10k-100k of requests annually.  The implication is that data production
> is nearly immediate (measured in minutes or hours at most), not enough
> time for a rubber-stamp FISA warrant, implying a fully automated system.
>
> At these volumes we're talking one, or a few, boxes at each provider;
> plus the necessary backdoors in the provider's storage systems (easy,
> since the provider already has those backdoors in place for their own
> maintenance/legal/abuse systems); and trusted personnel on staff at the
> providers to build and maintain the systems.  Add a VPN link back to
> Fort Meade and you're done.
>
> That's obviously a much easier system (compared to your 200 GBps
> sniffer) to build at the $2M/yr budget, and given that $2M is just the
> government's part -- the company engineering time to do it is accounted
> separately -- it seems like a reasonable ballpark for an efficient
> government project.  (There are plenty such, and the existence of
> inefficient government projects doesn't change that fact.)
>
> It's even possible that executive/legal at the providers actually aren't
> aware that their systems are compromised in this manner.  NatSec claims
> will open many doors, especially with alumni of the DoD who have
> reentered the civilian workforce:
> https://financialcryptography.com/mt/archives/001431.html
>
> -andy
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech